On 22 February 2018, changes to the Privacy Act 1988 (Cth) (the Act) will take effect and a new Notifiable Data Breach (NDB) Scheme will be in force. This reform will affect the privacy obligations of all non-government schools who are governed by the Privacy Act and the Australian Privacy Principles (APPs).

Personal Information and Data Breaches

Schools collect and store a vast array of personal information about students and staff, through the operation of day-to-day functions. Also, advances in technology are enabling schools to electronically store increasing amounts of personal information such as photos, bank details, family information, contact details, videos of students, medical records and health information. For this reason, it is important that school communities practice a privacy-aware culture to ensure that the collection, storage, use and disclosure of personal information about students and staff comply with the APPs.

A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For schools, data breaches are not limited to hacking or cyber attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person.

Notifiable Data Breaches

As stated in our previous article, the NDB Scheme prevents schools from concealing breaches if the breach is considered to result in serious harm to the affected person(s) ie. what the Office of the Australian Information Commissioner (OAIC) considers to be an eligible data breach (also known as a NDB). Pursuant to section 26WE of the Act, an eligible data breach (NDB), which would require notification, occurs in circumstances where:

there is an unauthorised access or unauthorised disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates, or

information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any individuals to whom that information relates.

Examples of cirucmstances which may meet the criteria of a NDB, include when:

a device containing a member of the school community’s personal information is lost or stolen (e.g a school laptop)

a database containing personal information is hacked

personal information about students or staff is mistakenly provided to the wrong person

The introduction of the NDB Scheme is something that schools need to take seriously. After 22 February 2018, monetary penalties for failing to comply with the new legislation of up to $360,000 for individuals and $1.8 million for organisations will apply. Schools should also look closely at their cyber security policies to prevent any data breaches from occurring in the future and make sure their personal information handling guidelines are clear and all staff are trained in their use.